[英]Try to download export from google vault, get 403 error using service account
從https://developers.google.com/vault/guides/exports上的文檔中,我已經能夠創建、列出和檢索導出,但我還沒有找到任何方法來下載與特定關聯的導出數據出口。 有什么方法可以通過 API 下載導出的文件,還是只能通過 Vault UI 獲得?
導出元數據中有一個 cloudStorageSink 鍵,但嘗試使用通過雲存儲 API 提供的值會導致一般權限問題(403 錯誤)。
我得到了一個錯誤:
com.google.cloud.storage.StorageException: gcsadmin@gmail-acess-347301.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.
71e6f8ba-dc92-494f-b584-1a9675074c0b/exportly-f1c1ecd8-254c-4078-b0c2-5228905720d3/My_first_mail_accounts_export-metadata.csv 4d17606f-0ebc-46e7-8369-d8e4ffd12b44
at com.google.cloud.storage.StorageException.translate(StorageException.java:118)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:287)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.get(HttpStorageRpc.java:512)
at com.google.cloud.storage.StorageImpl.lambda$get$6(StorageImpl.java:285)
at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
at com.google.cloud.storage.Retrying.run(Retrying.java:54)
at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1406)
at com.google.cloud.storage.StorageImpl.get(StorageImpl.java:284)
at com.google.cloud.storage.StorageImpl.get(StorageImpl.java:290)
at com.q1d.googlevaulttest.Quickstart.downloadObject(Quickstart.java:159)
at com.q1d.googlevaulttest.Quickstart.main(Quickstart.java:215)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://storage.googleapis.com/storage/v1/b/4d17606f-0ebc-46e7-8369-d8e4ffd12b44/o/71e6f8ba-dc92-494f-b584-1a9675074c0b%2Fexportly-f1c1ecd8-254c-4078-b0c2-5228905720d3%2FMy_first_mail_accounts_export-1.zip?projection=full
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "gcsadmin@gmail-acess-347301.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.",
"reason" : "forbidden"
} ],
"message" : "gcsadmin@gmail-acess-347301.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object."
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:37)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:428)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1111)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:514)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:455)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:565)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.get(HttpStorageRpc.java:509)
... 10 more
按照其他用戶指南,我試圖下載 object 而不是整個存儲桶,這是我正在使用的代碼:(gcs.json 密鑰文件是我在谷歌雲中創建的具有域范圍委托的服務帳戶)
public static void downloadObject(String projectId, String bucketName, String objectName,
String destFilePath) throws IOException {
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// The ID of your GCS object
// String objectName = "your-object-name";
// The path to which the file should be downloaded
// String destFilePath = "/local/path/to/file.txt";
// Load client secrets.
InputStream in = Quickstart.class.getResourceAsStream("/gcs.json");
if (in == null) {
throw new FileNotFoundException("Resource not found: " + "gcs.json");
}
Storage storage = StorageOptions.newBuilder().setCredentials(ServiceAccountCredentials.fromStream(in)).build()
.getService();
Blob blob = storage.get(BlobId.of(bucketName, objectName));
//Blob blob = storage.get(BlobId.fromGsUtilUri(objectURI));
blob.downloadTo(Paths.get(destFilePath));
System.out
.println("Downloaded object " + objectName + " from bucket name " + bucketName + " to " + destFilePath);
}
這部分錯誤指示如何解決問題:
gcsadmin@gmail-acess-347301.iam.gserviceaccount.com 沒有 storage.objects.get 訪問 Google 雲存儲 object
解決方案是添加一個具有所需權限的角色。 例如:
Storage Object Viewer (roles/storage.objectViewer)
必須將角色添加到服務帳戶:
gcsadmin@gmail-acess-347301.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding REPLACE_WITH_YOUR_PROJECT_ID \
--member='serviceAccount:gcsadmin@gmail-acess-347301.iam.gserviceaccount.com' \
--role='roles/storage.objectViewer'
該命令的文檔:
錯誤:(gcloud.builds.submit)錯誤 403:<service account> 沒有 storage.objects.get 訪問谷歌雲存儲 object</service>
[英]ERROR: (gcloud.builds.submit) Error 403: <SERVICE ACCOUNT> does not have storage.objects.get access to the Google Cloud Storage object
Google Cloud Platform:有沒有辦法使用服務帳戶密鑰獲取有關服務帳戶創建者的信息
[英]Google Cloud Platform: Is there a way to get information about the creator of a service account, using the service account key
firebase API 通過服務賬號添加分析403權限錯誤
[英]firebase API add analytics through service account 403 permission error
無法使用 App Service 上的 Azure MSI 訪問 Key Vault
[英]Unable to get access to Key Vault using Azure MSI on App Service
使用托管身份從 Hashicorp Vault 中檢索 Azure 應用服務中的秘密 | 缺少角色 - 錯誤
[英]Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error
Google Cloud 403 錯誤擁有項目的計費帳戶在狀態不存在時被禁用
[英]Google Cloud 403 Error The billing account for the owning project is disabled in state absent
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.